[Phpmyadmin-devel] [Fwd: Re: CVE for phpMyAdmin PMASA-2007-6]

Tue Oct 23 14:06:46 CEST 2007

Hi Thijs,
yes it's a good idea, I'll implement your suggestions.

Marc

Thijs Kinkhorst a écrit :
> Hi devs,
> 
> I requested a CVE id to be assigned for PMASA-2007-6, which is quoted below.
> If I have spotted it correctly, I see not much use of CVE id's within
> phpMyAdmin. It would be very helpful for security workers in e.g.
> distributions if the PMASA advisories would mention the corresponding CVE
> numbers when such a number is or becomes available. It could also have a
> place in the relevant changelog entry that fixes the problem.
> 
> Would you consider doing that?
> 
> Thanks
> Thijs
> (also on behalf of the Debian security team)
> 
> 
> ---------------------------- Original Message ----------------------------
> Subject: Re: CVE for phpMyAdmin PMASA-2007-6
> From:    "Steven M. Christey" <coley at linus.mitre.org>
> Date:    Mon, October 22, 2007 22:19
> To:      "Thijs Kinkhorst" <thijs at debian.org>
> Cc:      cve at mitre.org
> --------------------------------------------------------------------------
> 
> 
> Hello,
> 
> Use CVE-2007-5589
> 
> - Steve
> 
> ======================================================
> Name: CVE-2007-5589
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5589
> Reference:
> MISC:http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html
> Reference:
> CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_1/phpMyAdmin/ChangeLog?r1=10796&r2=10795&pathrev=10796
> Reference:
> CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796
> Reference:
> CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-6
> Reference: FRSIRT:ADV-2007-3535
> Reference: URL:http://www.frsirt.com/english/advisories/2007/3535
> Reference: SECUNIA:27246
> Reference: URL:http://secunia.com/advisories/27246
> 
> Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
> before 2.11.1.2 allow remote attackers to inject arbitrary web script
> or HTML via certain input available in (1) PHP_SELF in (a)
> server_status.php, and (b) grab_globals.lib.php, (c)
> display_change_password.lib.php, and (d) common.lib.php in libraries/;
> and certain input available in PHP_SELF and (2) PATH_INFO in
> libraries/common.inc.php.  NOTE: there might also be other vectors
> related to (3) REQUEST_URI.
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
> 